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SYSTEM AND METHOD FOR MANAGING USER DATA IN A PLURALITY OF 

DATABASES 

CROSS REFERENCE TO RELATED APPLICATIONS 

This application claims priority to a provisional application entitled "SYSTEM AND 
METHOD FOR MANAGING USER DATA IN A PLURALITY OF DATABASES" filed 
in the United States Patent and Trademark Office on July 1 1, 2003 and assigned Serial No. 
60/486,517, the entire contents of which are hereby incorporated by reference. This 
application is also related to U.S. provisional application Serial Nos. 60/486,512 and 
60/486,508, each filed on July 1 1, 2003, the entire contents of each of these applications also 
being incorporated by reference. 

BACKGROUND 

1. Field 

The present invention relates generally to database management systems, and more 
particularly, to a system and method for managing user data in a plurality of databases. 

2. Description of the Related Art 

Driven by new Internet technologies, business growth requires organizations to 
extend their systems, applications and directories to partners, suppliers, customers and 
employees. This explosion in user population makes the task of managing user accounts 
increasingly complex. It also creates a new need for identity management — the ability to 
control and monitor individual user access over time. 
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Compounding this situation are the business realities of mergers, acquisitions and 
divestitures — the numbers of users are increasing and the numbers of system types are 
expanding. IT directors are forced to manage multiple operating systems, mail systems, 
network operating systems and home-grown applications distributed across various, often 
worldwide locations. . 

Individually managing multiple directories is time-consuming, costly and error-prone 
— especially in organizations where changes frequently occur. Keeping up with the daily 
maintenance can be a significant task. Ensuring overall security and integrity across the 
board increases the challenge. 

To meet these challenges, administrative security systems have been developed to 
provide user account management across multiple, geographically dispersed security 
systems and directories. An example of one such system is eTrust™ Admin commercially 
available from Computer Associates International, Inc. of New York, the assignee of the 
present application. These systems enable the creation, modification and removal of users 
across multiple, heterogeneous environments. The single administrative security system 
allows adminis trators to centrally define and manage security policies across an enterprise 
by automating the provisioning of user accounts on a variety of IT systems and ERP 
(Enterprise Resource Planning) applications, for example, using a role-based approach. That 
is, role-based user provisioning enables the admmistrators to automatically provide users 
with a set of userids based on their business functions and ensures consistent user access 
policies are applied across a wide range of system types and directories. 
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With the advances in centralizing the administration of user accounts, there remains 
a need for techniques for extracting data from directories and ERP applications to populate 
the administrative security systems without manually reentering the existing data. 

SUMMARY 

A system and method for managing user data in a plurality of databases is provided. 
Hie system and method extracts user data from a source application, repository or database, 
transforms the user data into global user data, and sends the global user data to a target 
application capable of managing the global user data across various environments. 

According to an aspect of the present invention, an interface module for integrating 
data from a source application to a target application is provided comprising a publisher for 
publishing the extracted data in an XML message; and a subscriber for uncompressing the 
XML message. The publisher includes a full data replication mechanism for initially 
publishing the entire content of the source application and an incremental updates 
mechanism for publishing changes made to the source application after initial publication. 

In another aspect, the subscriber is a Java subscriber. 

hi a further aspect, the subscriber includes an EDI engine for uncompressing the 
XML message when a number of XML messages is greater than a first predetermined 
threshold. 

According to another aspect of the present invention, a method for integrating data 
from a source application to a target application is provided. The method comprises the steps 
of publishing an XML message of user data from the source application; receiving, decoding 
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and uncompressing the XML message; and transforming the XML message into a workflow 
request for integrating the source data to the target application. 

In a farmer aspect of the present invention, a program storage device readable by a 
machine, tangibly embodying a program of instructions executable by the machine to 
perform method steps for integrating data from a source application to a target application is 
provided, the method steps comprising publishing an XML message of user data from the 
source application; receiving, decoding and uncompressing the XML message; and 
transforming the XML message into a workflow request for integrating the source data to 
the target application. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The above and other aspects, features, and advantages of the present invention will 
become more apparent in light of the following detailed description when taken in 
conjunction with the accompanying drawings in which: 

FIG. 1 is a block diagram of an exemplary system for managing user data in a 
plurality of databases in accordance with an embodiment of the present invention; 

FIG. 2 is a block diagram of an interface module in accordance with an embodiment 
of the present invention; 

FIG. 3 is a block diagram of a business transformation logic (BTL) engine in 
accordance with an embodiment of the present invention; 

FIG. 4 is a flow diagram illustrating a method for managing user data in a plurality 
of databases in accordance with an embodiment of the present invention; and 
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FIG. 5 is an overall flow diagram illustrating a system and method for managing user 
data in a plurality of databases, where a source application or repository is a PeopleSoft™ 
application and a target application or repository is eTrust™ Admin. 

DETAILED DESCRIPTION 



Preferred embodiments of the present invention will be described hereinbelow with 



functions or constructions are not described in detail to avoid obscuring the invention in 
unnecessary detail. 

A system and method for managing user data in a plurality of databases is provided. 
The system and method extracts user data from a source application, repository or database, 
transforms the user data into global user data, and sends the global user data to a target 
application capable of managing the global user data across various environments. 

FIG. 1 is a block diagram of a system for managing user data in a plurality of 
databases. Generally, the system 100 includes an interface module 102 for extracting user 
data from a source application 104 and a business transformation logic (BTL) engine 106 for 
transforming the user data into a format usable by a target application 1 08. The interface 
module 102 includes a publisher 1 10 for extracting user data, e.g., employee data, from the 
source application 104. The publisher 110 publishes an XML message from the extracted 
user data and sends it to a subscriber 112. The subscriber 1 12 receives, decodes, and 
uncompresses the XML message. The subscriber 1 12 then sends the data to the BTL engine 
1 06 that creates a MessageContext object with XML messages and sends it through a chain 
of BTL handlers, which will be described in detail below. From the BTL handlers, the object 
is sent to a workflow engine 1 14 where a request is created and sent to the target application 




reference to the accompanying drawings, hi the following description, well-known 
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108. Depending on the request, the target application 108 creates, modifies, or deletes global 
users, their accounts, or changes the roles associated with a global user. Additionally, a 
configuration GUI (graphical user interface) 1 16 is provided for a user, e.g., an 
adminis trator, to define the information to be transformed from the source application 1 04 to 
the target application 108. 

It is to .be understood that the present invention may be implemented in various - 
forms of hardware, software, firmware, special purpose processors, or a combination 
thereof. In one embodiment, the present invention may be implemented in software as an 
application program tangibly embodied on a program storage device. The application 
program may be uploaded to, and executed by, a machine comprising any suitable 
architecture. Preferably, the machine is implemented on a computer platform having 
hardware such as one or more central processing units (CPU), a random access memory 
(RAM), a read only memory (ROM) and input/output (I/O) interface^) such as a keyboard, 
cursor control device (e.g., a mouse or joystick) and display device. The computer platform 
also includes an operating system and micro instruction code. The various processes and 
functions described herein may either be part of the micro instruction code or part of the 
application program (or a combination thereof) which is executed via the operating system. 
In addition, various other peripheral devices may be connected to the computer platform 
such as an additional data storage device and a printing device. 

Additionally, it is to be appreciated that the system and method may be implemented 
on several machines coupled together over a network, e.g., a local area network (LAN), a 
Wide Area Network (WAN), the Internet, etc.. For example, the interface module may be 
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implemented on a first machine while the business transformation logic engine may be 
implemented on a second machine. 

It is to be further understood that, because some of the constituent system 
components and method steps depicted in the accompanying figures may be implemented in 
software, the actual connections between the system components (or the process steps) may 
differ depending upon the manner in which the present invention is programmed. Given the 
teachings of the present invention provided herein, one of ordinary skill in the related art 
will be able to contemplate these and similar implementations or configurations of the 
present invention. 

An embodiment of the present invention will be described below using a 
PeopleSoft™ application as the source application and Computer Associates' eTrust™ 
Admin as the target application with reference to FIGS. 2 and 3, where FIG. 2 is a graphical 
representation of a PeopleSoft™ eTrust™ Admin Interface (PETAI) module 202 and FIG. 3 
is a block diagram of the BTL engine 306. It is to be appreciated that although the 
embodiment described below references PeopleSoft's HRMs (Human Resources 
Management System), the principles of the present invention will apply to other source 
applications and is not limited to that described below. 

The main purpose of PETAI module 202 is to interface with PeopleSoft™ and to 
feed the PeopleSoft™ data onto the BTL Engine 306. The feed process will take place using 
two different mechanisms: Full Data Replication and Incremental Updates. The Full Data 
Replication process will be used to seed, or initially populate or repopulate, a copy of the 
entire sub-set of PeopleSoft™ records and fields exported onto eTrust™ Admin. The 
Incremental Updates mechanism will keep eTrust™ Admin current, with changes made on 
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the master PeopleSoft™ data. Incremental updates will contain only the records where the 
data has been modified. 

The PETAI module 202 will be implemented using PeopleSoft™ Enterprise 
Integration technology, specifically using Application Messaging 21 1, and will be loaded 
into the PeopleSoft™ application. PeopleSoft™ Application Messaging is based on a 
"publish-and-subscribe" model that enables a third party external system to integrate with 
PeopleSoft™ applications via XML/HTTP(S) messages. 

The PETAI module 202 includes a publisher 210 and a subscriber 212. The 
publisher mechanism 210 will be deployed onto PeopleSoft™ and will publish and deliver 
the XML messages to eTrust™ Admin subscriber 212. The PETAI module 202 will 
comprise two separated publisher mechanisms, one for implementing the Full Data 
Replication 210-1 and one for the Incremental Updates 21 0-2. The eTrust™ Admin 
subscriber mechanism 212 will be deployed onto the PeopleSoft™ Application Messaging 
Gateway 211 and will capture, transform and pass the XML messages onto the BTL engine 
306. Additionally, the PETAI module 202 will include a PETAI Message Node, a PETAI 
Message Channel and PETAI Message definitions. The message node and channel are the 
common objects shared by all message definitions. The PETAI node will be the connection 
point to eTrust A dmin . PETAI node will be defined as an external node pointing to the 
Application Messaging Gateway servlet, where the PETAI Java subscriber 212 is registered 
and deployed. The PETAI message channel is a common object that groups all PETAI 
message definitions. Routing rules within PETAI message channel will route PETAI 
published messages to the PETAI message node. Message definitions will be defined 
separately for each publisher mechanism 
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The Incremental Updates Publisher mechanism 210-2 will subscribe to internal 
application messages that synchronize Peoplesoft™ database components when changes are 
being made to the PeopleSoft™ records and fields. Then, it will build the PeopleSoft™ 
XML messages) and populate it (them) with the data, and finally publish it (them) onto the 
eTrast™ Admin subscriber 212. The Full Data Replication Publisher mechanism 210-1 will 
query all the defined PeopleSoft™ records and fields to get a full copy of data, then it will 
build the PeopleSoft™ XML messages) and populate it (them) with the data, and finally 
publish it (them) onto the eTrust™ Admin subscriber 212. 

Many PeopleSoft™ application tables are effective-dated, meaning that historical and 
future-date rows may be present on the table. eTrust™ Admin does not use effective dating 
so the PETAI module 202 will need to filter and provide only the current or active 
information before feeding it onto eTrust™ Admin. This filtering process will take place in 
the publisher 210 and needs to be implemented for both full data replication and incremental 
updates publisher mechanisms. 

The PETAI module 202 will define a sub-set of PeopleSoft™ records and fields that 
will be published and delivered to the eTrust™ Admin subscriber 212. This definition will 
be taken from the PeopleSoft™ Message definitions(s) that will carry on the data to 
eTrust™ Admin. Separated PeopleSoft™ message definitions will be created for the full 
data replication and incremental updates publishers. 

The subscriber 212, e.g., a Java subscriber, will be deployed and registered into the 
PeopleSoft™ Application Messaging Gateway Servlet It will be in charged of capturing, 
decoding and uncompressing any XML messages delivered to eTrust™ Admin, and passing 
them onto the BTL engine 306. Transformations will change the format used in the XML 
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message from a PeopleSoft™ fonnat to an eTrust™ Admin fonnat The Java subscriber 212 
will also integrate with the PeopleSoft™ Application Messaging Config Soviet The Config 
servlet will allow the administrator to load/unload the PETAI Java subscriber 212 as well as 
configuring PeopleSoft™ Nodes to be subscribed from. Integration code will interface with 
the Config servlet APIs including a HTML graphical user interface for the Java subscriber 
configuration. 

To^ handle a large amount of transactions, e.g., a large XML message, the Java 
subscriber 212 will process incremental updates and full data replication messages 
separately. A transactions threshold will be the mechanism used to determine the type of a 
message. A threshold=l will mean mat only messages with one transaction are considered 
an incremental update type. Messages with more than one transaction will belong to the full 
data replication type. This threshold will be a configuration parameter set to 1 by default 
Incremental update messages will be passed to the BTL engine for immediate processing. 
Full data replication messages will be copied to a file where a separate process will process 
them. This second process is implemented by an EDI (Electronic Data Interchange) engine. 

The EDI engine will be a separated process/thread that will monitor the folder where 
full data replication messages are copied as files. It will have a separate instance of the BTL 
engine and once it finds a new file to process, it will create a MessageContext object using 
the XML data from the file and it will pass it on to the BTL engine to process it 

— Once the subscriber 212 transforms the user data from the source application, the data 
is passed to the BTL engine 306. The purpose of the BTL engine 306 is to provide a means 
to transform the input PeopleSoft™ data coming from the PETAI module 202 into 
Workflow request(s). This requests) will lead towards the provisioning, modification or de- 
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provisioning of an eTnist™ Admin Global user and all associated accounts. The 
transformation will be performed by a series of BTL handlers mat will be invoked by the 
BTL engine 306, as shown in FIG. 3. The invocation process will follow a predetermined 
order previously specified in the configuration GUI Each BTL handler will receive, apply 
its transformation and pass onto the next handler, a MessageContext Object The 
MessageContext object is a structure, which will contain the PeopleSoft™ data in an XML 
format among other parts. 

The BTL engine 306 will enable the administrator to determine and assign Roles to 
Global Users based on PeopleSoft™ data; to calculate and assign custom data fields to 
Global User attributes, for example, to generate a user id using two or more PeopleSoft™ 
data fields and some specific business rules; to map data elements within the XML buffer to 
Global User Attributes; to access custom code and/or third party code to set Global User 
attributes; etc. 

The BTL engine 306 will comprise a chain of handlers including a sample template 
handler 330, XSL files handler 332, business rules handler 334, mapping handler 336, and 
generic component handler (Dirsync Handler) 338. 

The template handler 330 will serve as a starting point for the end user to develop 
custom BTL handlers for transforming data. 

The XSL handler 332 will allow the end user to transform the input XML message 
based on a chain of XSL (Extensible Stylesheet Language) files. The stylesheet must be 
provided a separated file containing the XSL Transformation code (no need to re-compile 
Java code). To get a hold of the XSL file, this handler will use a parameter in a 
configuration file containing an ID for the stylesheet, the name of the XSL file and an order 
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number to be applied For example, a PSCAMA (PeopleSoft™ Common Application 
Message Attributes) handler may have an entry as follows: 

<xsl-entry> 

<stylesheet-id>pscama</stylesheet-id> 

<stylesheet-filename>pscamajtsl</stylesheet-fllename> 

<stylesheet-order>l</stylesheet-order> 

</xsl-entry> 

<xsl-entry> 

<stylesheet-id>sample</stylesheet-id> 
<stylesheet-filename>samplejcsl</stylesheet-fllenanie> 
<stylesheet-order>2</stylesheet-order> 
</xsl-entry> 

The PSCAMA XSL program will provide the functionality to filter PSCAMA and 
data records in the XML message. The filtering code will use an audit action field 
(AUDIT ACTN) at the PSCAMA record to filter the data records in the XML message. 
Logic will be as follows: 

The data record will be included in the output if 

• PSCAMA record not present for a specific data record 

• PSCAMA record is present and AUDIT ACTN is set to 'A' or 'C or 'N' or 

A sample XSL program will also be provided. It will serve as a starting point for the 
end user, e.g. administrator, to develop custom XSL programs. 

The business rules (BR) handler 334 enables the user to create a set of decision 
tables that match their specific needs. A decision table is a set of business rules that 
determine the assignments of special Global User attributes required in the user provisioning 
process. Special Global User attributes can be roles, profiles, groups, or any other attribute 
requiring special treatment to determine its value. Decision tables present a sophisticated 
mechanism to set special attributes without having to write any code. 
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For each special Global User attribute an administrator may want to assign, the 
administrator will create one decision table. Each decision table needs to specify a set of . 
input parameters to be used in the calculation of the attribute value. A decision table header 
enables the administer to provide mis information. The header's first column is where the 
output field name is to be placed. Valid output field names are considered any field name on 
the ETRUST ADMIN record. The rest of the header columns are where the input 
parameters are to be placed. Valid input parameters are considered any field on the XML 
message and must be defined using XPath standard syntax. 

The decision table rows are where the business rules are defined. Each row specifies 
the output value, the combination of comparison values, and operators for assigning the 
value. The first column on each row is where the output value is placed. The rest of the row 
columns are where the comparison values and the operators are placed. Valid comparison 
values are any real value in the PeopleSoft™ database and valid comparison operators are 
(equal) and '!- (not equal). 

The following decision table example assigns the Global User Role attribute (Role- 
Name) and uses three input parameters to calculate the value (Country, Department ID, and 
Company). The sample defines two business rules for assigning two different role values. 



Role-Name 


PERSON/PERSONAL 
_DATA/COUNTRY 


PERSON/JOB 
/DEPTH) 


PERSON/JOB 
/COMPANY 


NamericaJHRGBIRole 


=USA 


=HR 


=GBI 


hiternational_Role 


!=USA 







The following is the above decision table in XML format 
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<decision-table-entry> 
<decision-table-id>roles</decision-table-id> 
<header> 
<header-output> 

<header-field-name>Role-Name</header-field-name> 
</heador-cratput> 
<header-input-entry> 

<header-position>0<c/headCT-positioii> 

<4eader-xpath>PERS01WEPJSONAL_^ 
<faeader-input-eotry> 
<header-input-entry> 

<header-position> 1 </header-position> 

<beader-xpaflj>PERSON/JOB/DEPTIE><yheader-xpatit> 
<yheader-input-entry> 
<header-input-entry> 

<heador-positiotf>2</header-position> 

<header-xpad^PER50N/J0B/C0MPANY</headex-xpath> 
</header-input-entry> 
</headei> 
<rows> 

<row-entry index="0" > 

<row-output> 

<row-field-value>NAmeaica_HR_GBI_role<Vrow-field-value> 
</row-output> 
<row-input-entry> 

<row-position>0</row-position> 

<row^mparison-value>USA</row-comparison-value> 

<row^mparison-operator>=</row-comparison-operator> 
</row-input-entry> 
<row-input-entry> 

<row-position> 1 </row-position> 

<ro w-comparison- value> 1 0000</row-comparison-value> 

<row^mparisonK)perator>=<yrow-comparison-operator> 
</row-input-entry> 
<row-input-entry> 

<row-positioQ>2</row-position> 

<rowK»mpariscm-value>GBI<^row-comparison-value> 

<rowK»mparisoiw}peTator>=<^rowK»inparison-operator> 
<^row-input-entry> 
</row-entry> 
<row-entry index=" 1"> 
<row-output> 

<row-field-vahe>Inteniational_role</row-field-value> 
</row-oulput> 
<row-input-entry> 

<row-positionX)</row-position> 

<row^mparison-value>USA</row-comparison-value> 

<row^mparisonKjperator>!=^row-<X)mparison-opCTatoi> 
</row-input-entry> 
</row-entry> 
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</rows> 
</decision-table-entry> 
<decision-table-entry> 
<decision-table-id>groups</decision-table-id> 
<header> 
<header-output> 

<header-field-name>Grovrp-Naine</header-field-name> 
</header-output> 
<heada , -input-entry> 

<header-position>0</header-position> 

<header-xpath>PERSON/PERSONAL_DATA/COUNTRY</header-xpath> 
<VTieader-input-eiitry> 
</header> 
<rows> 

<3t>w-entry index="0" > 
<row-output> 

<^w-field-vahie>NAmeaica_jgroiip</row-fie]d-valTje> 
</row-output> 
<row-input-entry> 

<row-position>0</row-position> 
<row-KX)mparison-vdue>USA</row-coniparison-value> 
<row-KX)mparison-K3peratoi>==</row-comparison-operator> 
</row-input-entry> 
</row-entry> 
<row-entry index=" 1" > 
<row-output> 

<row-field-val\ie>International_group</row-field-value> 
</row-output> 
<row-input-entry> 

<row-position>0</row-position> 

<row-comparison-valije>USA<^row-comparison-vahie> 
<row-comparison^perator>!==</row-comparison-opeTatoi> 
</row-input-entry> 
<Jiow-&itry> 
</rows> 
<^decision-table-entry> 

The business rules handler 334 then sends the message to the mapping handler 336. 

The BTL mapping handler 336 associates one PeopleSoft™ data field or a custom 
record field to a Global User attribute of the eTrust™ Admin application. The mapping 
supports the association of any element and any non-element within the XML message to a 
Global User Attribute using XPath standard syntax. 
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The mapping of attributes will be defined by XML data stored in the configuration 
file. The end user can customize the XML data to fit their specific needs using the 
configuration GUI. The configuration file will use XPath standard syntax to define the 
mappings having the root element as the context for all definitions. 

The following XML data represents a sample PeopleSoft™ XML message: 



<MsgData> 
<Transaction> 
<PERSONAL_DATA class="R B > 

<EMPLID>C10001</EMPUD> 

<NAME>Stankowskyiicliard</NAME> 

<IAST_NAME>Stankowski</LAST_NAME> 

<FIRST_NAME>Richard</FIRST_NAMB> 

<MIDDLE_NAME></MIDDLE_NAME> 

<COUNTKY>USA</COUNTRY> 

<ADDRESS1>11308 Wildflower Lane</ADDRESS1> 

<ADDRESS2x/ADDRESS2> 

<ADDRESS3x/ADDRESS3> 

<ADDRESS4X/ADDRESS4> 

<CITYXjrass VaUey</ClTY> 

<COUNTYx/COUNTY> 

<STATE>CA</STATE> 

<POSTAL>97077</POSTAL> 
</PBRSONAL_DATA> 
<JOB_ETA_VW class="R"> 

<EMPLID>C10001</EMPLID> 

<DEPTID>13000</DEPTID> 

<DESCR>Finance</DESCR> 

<JOBCODE>KU067</JOBCODE> 

<JOBCODE_DESCR>Sr Accounts Payable Clerk</JOBCODE_DESCR> 
<IXX:ATIOlS>KUDE00<yLOCATION> 

<LOCATION_DESCR>Delaware Operations<yLOCATION_DESCR> 

<EMPL_STATUS>T</EMPL_STATUS> 

<COMPANY>GBI</COMPANY> 

<BUSnvnESS_UNIT>GBIBU</BUSINESS_UNrr> 

<BUSINESSjriTLE></BUSINESS_TrrLE> 

<SUPERVTSOR_IDx^SUPERVISOR_ID> 

</JOB_ETA_VW> 
<ATransaction> 
</MsgData> 
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For example, mapping definitions for "EMPLID" and "DEPTH)" elements will be 
represented using XPath standard syntax as: 



<eta2 1 -attribute-mapping> 

<custonirelement-xpath>P13lSONAL_DATA^ 

<attribute-name>eTUserid</attribute-name> 

<^ttrfl)iite-mod-flagp^verwrite</attribute-mc>d-fIag> 
</eta2 1 -attribute-mapping> 
<6ta2 1 -attribute-mapping> 

<rajstom^lement-xpatb>PBRSONAL_DATA/EMPLII>^ciJs 

<attribiite-name>eTGlobalUsCTName<^attribiite-name> 

<attnTnite-mod-flag>overwrite<attnTjute-mod-flag> 
</eta21-attribute-mapping> 
<eta2 1 -attribute-mapping> 

<custom^lement-^tb>JOB^^ 

<attal)ute-name>eTDepartmemt<^attrib^name> 

<attnl)iUe-mod-flag>overwrite</attribute-mod-flag> 
</eta2 1 -attribute-mapping^- 

The generic component handler 338 will be the end point in the BTL engine chain 
and ultimately will transform the PeopleSoft™ data into Workflow requests. 

Among other functions, the configuration GUI 116 will be employed to configure the 
various BTL handlers. The purpose of the configuration GUI 1 16 is to provide a means, for a 
system administrator to easily define the information that is needed in order to transform a 
PeopleSoft™ User Entry into an eTrust™ Admin Global User Entry. This information will 
include the resulting eTrust™ Admin Global User attributes and the means that is used to 
produce them. 

The BTL configuration GUI 1 16 will be comprised of the following interfaces: 

• BTL Handlers Registration: This interface will allow the end user to register BTL 
handlers on the BTL engine and define their invocation order. 

• Attribute Mapping Interface: This interface will allow the end user to define the 
mapping parameters used by the BTL Mapping Handler. 

• Decision Tables Interface: This interface will allow the end user to create and add 
decision tables to be executed by the BTL Business Rules Handler. 



17 



WO 2005/008539 



PCT/DS2004/022148 



• General Configuration: This interface will allow the end user to set all remaining 
configuration parameters. 

It is worm noting that to define the mappings and the BR decision tables specific 
meta-data will he required. This mete-data will be needed for both eTrust™ Admin and 
PeopleSoft™. In the case of PeopleSoft™, it will consist of the attributes that can be used 
as parameters to the Decision Table Definitions. In the case of eTrust™ Admin, this data 
will consist of a list of all supported Global User attributes. There will be two ways that the 
PeopleSoft™ data can be obtained from the BTL Configuration GUL The first is by using a 
PeopleSoft™ Extract From an existing extract die BTL configuration GUI will be able to 
obtain the required meta-data. At any time, the system adrninistrator will be able to add to 
and modify this meta-data. In the case of eTrust™ Admin meta-data, a listing of the 
attributes that exist will be readily available from the configuration GUL Li the BTL 
Configuration GUL the eTrust™ Admin meta-data may be modified as well. 

With reference to FIGS. 4 and 5, a method for managing user data in a plurality of 
databases will be described illustrating the data flow where the source application is a 
PeopleSoft™ application and the target application is eTrust™ Admin. 

The PETAI module 502 will interface with PeopleSoft™ system 504 (step 402) and * 
will feed PeopleSoft™ data onto the BTL engine 506 through its Java Subscriber 512 (step 
404). The BTL engine 506 will generate a MessageContext object containing the 
PeopleSoft™ data and it will pass it on to the first BTL handler defined in the configuration 
file that in this case is the sample template handler 530 (step 406). The template handler 
530 will process and transform the MessageContext object and it will pass it on to next 
handler in the chain. The XSL files handler 532 receives the MessageContext and applies a 
chain of XSL Transformations, e.g., PSCAMAXSL and sampleXSL (step 408). 
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The BR handler 534 receives the MessageContext object and transforms it executing 
any decision tables denned in the configuration file (step 410), via the configuration GUI 
516. Then, it will pass it on to the mapping handler 536. The mapping handler 536 receives 
the MessageContext object and transforms it assigning PeopleSoft™ data fields and custom 
fields to Global User attributes based on the mapping information in the configuration file 
(step 412). Then it will pass it on to the generic component handler 538. The generic 
component handler or end point handler (Dirsync Handler) will ultimately generate eTrust™ 
Admin Workflow requests (step 414), via the workflow engine 514. This requests) will lead 
towards the provisioning, modification or de-provisioning of Global user and all associated 
accounts in the eTrust™ Admin application 508. 

The system and method according to embodiments of the present invention provides 
organizations the ability to capture changes to a source application, e.g., a PeopleSoft™ 
application, in real time. The system and method transforms the data into "intelligible" user 
provisioning requests based on business rules associated with specific values in the source 
application data. The system and method then submits these requests via a workflow engine 
to a user provisioning engine, e.g., a target application, which ultimately sends (create, 
delete, or modify) requests to managed security systems. In summary, embodiments of the 
present invention automate the user provisioning process from a source application to me 
heterogeneous security systems making up the organizations IT infrastructure. 

While the invention has been shown and described with reference to certain 
preferred embodiments thereof, it will be understood by those skilled in the art that various 
changes in form and detail may be made therein without departing from the spirit and scope 
of the invention as defined by the appended claims. 



19 



WO 2005/008539 



PCT/OS2004/022148 



WHAT IS CLAIMED IS: 

1. An interface module for integrating data from a source application to a target 
application comprising: 

a publisher for publishing extracted data from the source application in at least one 
XML message; and 

a subscriber for uncompressing the at least one XML message. 

2. The interface module as in claim 1 , wherein the publisher includes a full data 
replication mechanism for initially publishing the entire content of the source application. 

3. The interface module as in claim 2, wherein the publisher includes an 
incremental updates mechanism for publishing changes made to the source application after 
initial publication. 

4. The interface module as in claim 3, wherein the publisher filters effective- 
dated data and publishes active data. 

5. The interface module as in claim 1, wherein the subscriber is a Java 
subscriber. 

6. The interface module as in claim 1 , wherein the subscriber further includes an 
EDI (Electronic Data Interchange) engine for uncompressing the at least one XML message 
when a number of XML messages is greater than a first predetermined threshold. 
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7. The interface module as in claim 1 , wherein the subscriber transforms data 
from a source application format to a target application format 

8. The interface module as in claim 1, further comprising a message node for 
pointing the publisher to the subscriber. 

9. A method for integrating data from a source application to a target 
application, the method comprising the steps of: 

publishing an XML message of user data from the source application; 
receiving, decoding and uncompressing the XML message; and 
transforming the XML message into a workflow request for integrating the source 
data to the target application. 

10. The method as in claim 9, wherein the publishing step includes querying all 
records of user data of the source application and publishing an entire copying of the 
records. 

1 1 . The method as in claim 1 0, wherein the publishing step includes querying all 
records of user data of the source application and publishing incremental changes relative to 
initial records. 

12. The method as in claim 1 0, further comprising the step of defining records 
and fields of the records of the user data to be published. 
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1 3. The method as in claim 1 0, further comprising the steps of filtering effective- 
dated user data and publishing active data. 

14. A program storage device readable by a machine, tangibly embodying a 
program of instructions executable by the machine to perform method steps for integrating 
data from a source application to a target application, the method steps comprising: 

publishing an XML message of user data from the source application; 
receiving, decoding and uncompressing the XML message; and 
transforming the XML message into a workflow request for integrating the source 
data to the target application. 

1 5. The program storage device as in claim 14, wherein the pubUshing step 
includes querying all records of user data of the source application and publishing an entire 
copying of the records. 

16. The program storage device as in claim 14, wherein the pubUshing step 
includes querying all records of user data of the source application and pubUshing 
incremental changes relative to initial records. 

17. The program storage device as in claim 14, further comprising the step of 
defining records and fields of the records of the user data to be published. 
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1 8. Hie program storage device as in claim 14, further comprising the steps of 
filtering effective-dated user data and publishing active data. 
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